With nine.ch as an industrial partner, Ueli Bosshard and Philipp Christen have realized their bachelor thesis on “Orchestration of security updates for Linux server systems” in the spring semester 2016. In this guest post, they give us an introduction to the problem and the solution they came up with.
Managing updates is fairly easy for a normal user. The operating system shows a notification that an update is pending, the user clicks “Install”, and they’re done. They may need to reboot the system, but that’s it. And this still works well with two, three or five systems. But what happens when you have dozens or hundreds of systems to manage all at once? Or if configurations vary and the latest version of each installed application and service is not allowed on every system?
The situation above is exactly the case at nine.ch – a great many systems configured in many different ways, all with available updates prompting for installation. The goal: to keep the various systems up to date as easily and efficiently as possible.
Existing solutions such as Landscape, Ansible or Puppet could be used, but these are either expensive, closed-source, or only able to install software and not manage it. What would be preferable is a (Rails) application that can be integrated into and maintained within the existing environment at nine.ch.
The basic idea behind upd89 is that each system to be managed runs an agent which communicates with the package management tool and detects when an update is available. The agent reports this to the centralised control centre, which collects the data and processes it for the user. Users log into the control centre via a web interface and select which updates should be installed and where. This creates a task which the control centre sends to the agents concerned, where the package manager is used once again to install the update. Once this is complete, the status is returned.
The control centre is a Ruby on Rails application and is intended to quickly display the status of the system landscape. How many systems are up to date, and which ones? Where are updates pending? Has anything gone wrong recently?
Systems and applications can also be sorted into groups so that updates can be installed group-wide.
upd89 is not a jack of all trades but a solution that focuses solely on software updates – a job that it does with great efficiency. It’s also a new project where feedback and improvements are very welcome. Interested? upd89 is completely open-source and can be downloaded from GitHub.